Cisco Releases Security Advisories Affecting Smart Licensing Utility and Identity Service Engine

Advisories address two critical vulnerabilities in Smart Licensing Utility and one medium vulnerability in Identity Service Engine

Threat ID:: CC-4543
Threat Severity:: Medium
Published:: 6 September 2024 12:20 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Advisories address two critical vulnerabilities in Smart Licensing Utility and one medium vulnerability in Identity Service Engine

Affected platforms

The following platforms are known to be affected:

Cisco ISE

Cisco Smart Software Manager

Cisco Smart Licensing Utility

Note: Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:

Smart Software Manager On-Prem
Smart Software Manager Satellite

Threat details

Exploitation attempts of CVE-2024-20440 and CVE-2024-20439

Exploitation attempts of CVE-2024-20440 and CVE-2024-20439 vulnerabilities have been observed in the wild. Additionally, a proof-of-concept exploit code for CVE-2024-20469 is publicly available. The NHS England National CSOC assesses exploitation of these vulnerabilities is considered more likely.

Introduction

Cisco has released a security advisory relating to two critical severity vulnerabilities in Smart Licensing Utility. Cisco Smart License Utility (CSLU) is an application that enables customers to administer licenses and their associated Product Instances from their premises instead of having to directly connect their Smart Licensed enabled Product Instances to Cisco Smart Software Manager (CSSM).

CVE-2024-20439 has a CVSSv3 score of 9.8 and could allow an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential.
CVE-2024-20440 has a CVSSv3 score of 9.8 and could allow an unauthenticated, remote attacker to access sensitive information.

Cisco has also released an advisory regarding a command injection vulnerability affecting Identity Services Engine. Identity Services Engine is a security policy management platform that provides secure network access to end users and devices.

CVE-2024-20469 has a CVSSv3 score of 6.0 and could allow an authenticated, local attacker to perform command injection attacks on the underlying operating systems and escalate privileges to root. To exploit this vulnerability, the attacker must have valid administrator privileges.

Threat updates

Date	Update
21 Mar 2025	Exploitation attempts of CVE-2024-20440 and CVE-2024-20439 have been observed in the wild.

Remediation advice

Affected organisations are encouraged to review the Cisco Security Advisories page and apply the relevant updates detailed in the advisories below.

Remediation steps

Type	Step
Patch	Cisco Smart Licensing Utility Vulnerabilities \| cisco-sa-cslu-7gHMzWmw https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
Patch	Cisco Identity Services Engine Command Injection Vulnerability \| cisco-sa-ise-injection-6kn9tSxm https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-injection-6kn9tSxm

Definitive source of threat updates

https://sec.cloudapps.cisco.com/security/center/publicationListing.x

CVE Vulnerabilities

Status Published

CVE-2024-20439

A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to log in to the affected system. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application.

Status Published

CVE-2024-20440

A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain log files that contain sensitive data, including credentials that can be used to access the API.

Status Published

CVE-2024-20469

A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have valid Administrator privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.

Last edited: 21 March 2025 1:01 pm